How to write regex for search or index time field ...

smudge797 · ‎08-14-2014

Im trying to get search time field extractions (or index time) on the following log format:

2014-06-11T09:32:45.545-07:00 - INFO
RequestType:SFPR
UniqueRequestGUID:0e160f29-d75b-49dd-b966-4d93678d0590
SessionGUID:826e14ab-df0f-41c8-b874-13d17dd0b655
ProductType:PACKAGE
TPID:6
EPID:0
PGPR_PIID:f4669df2-e9af-429c-8b9d-b1b4aa136d9e-0
PGPR_ConnOpen:1
PGPR_Ser:2
PGPR_RequestDuration:25
PGPR_Des:2
RequestDuration:30

martin_mueller · ‎08-14-2014

Seems like fairly straightforward key-value extraction, try this:

props.conf

[your_sourcetype]
REPORT-kv = key_colon_value

transforms.conf

[key_colon_value]
REGEX = ^(?<_KEY_1>\w+):(?<_VAL_1>.*)$

Make sure my use of start- and end-of-line anchors works correctly without specifying any flags such as (?m) or (?s), I frequently mix those up 🙂

somesoni2 · ‎08-14-2014

Try this as transform REGEX.

\s*(?<KEY_1>[a-zA-Z\]+):(?<_VAL_1>[^\s]*)

smudge797 · ‎08-14-2014

Do i not need something extra to have the : appear as a =
So ProductType:PACKAGE would be ProductType=PACKAGE

smudge797 · ‎08-14-2014

Thanks Martin..
interesting, it does not appear to be working. Can you expand on the anchor points?
Maybe i am mixing them up!

How to write regex for search or index time field extractions?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to write regex for search or index time field extractions?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits